Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04ampoLWozYzItY2pjds4AA3U2

Cross-site Scripting via uploaded assets

Impact

HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication.

Patches

It has been patched on 3.4.15 and 4.36.0.

Permalink: https://github.com/advisories/GHSA-8jjh-j3c2-cjcv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04ampoLWozYzItY2pjds4AA3U2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H

Identifiers: GHSA-8jjh-j3c2-cjcv, CVE-2023-48701
References: Repository: https://github.com/statamic/cms
Blast Radius: 19.4

Affected Packages

packagist:statamic/cms
Dependent packages: 377
Dependent repositories: 388
Downloads: 1,868,698 total
Affected Version Ranges: >= 4.0.0, < 4.36.0, < 3.4.15
Fixed in: 4.36.0, 3.4.15
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23, 3.0.24, 3.0.25, 3.0.26, 3.0.27, 3.0.28, 3.0.29, 3.0.30, 3.0.31, 3.0.32, 3.0.33, 3.0.34, 3.0.35, 3.0.36, 3.0.37, 3.0.38, 3.0.39, 3.0.40, 3.0.41, 3.0.42, 3.0.43, 3.0.44, 3.0.45, 3.0.46, 3.0.47, 3.0.48, 3.0.49, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.1.35, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.23, 3.2.24, 3.2.25, 3.2.26, 3.2.27, 3.2.28, 3.2.29, 3.2.30, 3.2.31, 3.2.32, 3.2.33, 3.2.34, 3.2.35, 3.2.36, 3.2.37, 3.2.38, 3.2.39, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.3.14, 3.3.15, 3.3.16, 3.3.17, 3.3.18, 3.3.19, 3.3.20, 3.3.21, 3.3.22, 3.3.23, 3.3.24, 3.3.25, 3.3.26, 3.3.27, 3.3.28, 3.3.29, 3.3.30, 3.3.31, 3.3.32, 3.3.33, 3.3.34, 3.3.35, 3.3.36, 3.3.37, 3.3.38, 3.3.39, 3.3.40, 3.3.41, 3.3.42, 3.3.43, 3.3.44, 3.3.45, 3.3.46, 3.3.47, 3.3.48, 3.3.49, 3.3.50, 3.3.51, 3.3.52, 3.3.53, 3.3.54, 3.3.55, 3.3.56, 3.3.57, 3.3.58, 3.3.59, 3.3.60, 3.3.61, 3.3.62, 3.3.63, 3.3.64, 3.3.65, 3.3.66, 3.3.67, 3.3.68, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.4.11, 3.4.12, 3.4.13, 3.4.14, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.10.1, 4.10.2, 4.11.0, 4.12.0, 4.13.0, 4.13.1, 4.13.2, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.23.1, 4.23.2, 4.24.0, 4.25.0, 4.26.0, 4.26.1, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.32.0, 4.33.0, 4.34.0, 4.35.0
All unaffected versions: 3.4.15, 3.4.16, 3.4.17, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.42.1, 4.43.0, 4.44.0, 4.45.0, 4.46.0, 4.47.0, 4.48.0, 4.49.0, 4.50.0, 4.51.0, 4.52.0, 4.53.0, 4.53.1, 4.53.2, 4.54.0, 4.55.0, 4.56.0, 4.56.1, 4.57.0, 4.57.1, 4.57.2, 4.57.3, 4.58.0, 4.58.1, 4.58.2, 4.58.3, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.6.1, 5.6.2, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.16.0, 5.17.0, 5.17.1, 5.18.0, 5.19.0, 5.20.0, 5.21.0, 5.22.0, 5.22.1, 5.23.0, 5.24.0, 5.25.0, 5.26.0, 5.27.0, 5.28.0, 5.29.0, 5.30.0, 5.31.0, 5.32.0, 5.33.0, 5.33.1, 5.34.0, 5.35.0, 5.36.0, 5.37.0, 5.38.0, 5.38.1, 5.39.0